Talk:LXC

From Wikipedia, the free encyclopedia
Jump to: navigation, search
WikiProject Linux  
WikiProject icon This article is within the scope of WikiProject Linux, a collaborative effort to improve the coverage of Linux on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
 ???  This article has not yet received a rating on the project's quality scale.
 ???  This article has not yet received a rating on the project's importance scale.
 

Does it support file descriptor passing across isolation contexts?[edit]

Most unices support a mechanism to 'pass' a file descriptor through a socket. (http://archives.neohapsis.com/archives/postfix/2000-09/1476.html) For example, you might have a virus scanning daemon running as an unpriviledge user, and then to scan a file, a client can pass an open file descriptor over the socket to the virus scanning daemon. The scanning daemon can then read that file to search for viruses, even though it is running under a user that normally cannot access the file.

Does LXC allow file descriptor passing of this type between security contexts?

PS- I've asked the same question about Talk:LXC, Talk:Linux-VServer and Talk:OpenVZ 128.112.139.195 (talk) 20:42, 11 November 2012 (UTC)

Please note that Wikipedia talk pages are for discussing *changes* to the article, and not a support forum for the product in question. (WP:TALK, WP:NOTFORUM) -- intgr [talk] 15:00, 12 November 2012 (UTC)
It is not a support question. It is a clarifying question, and is important for defining the isolation guarantees of these methods. 140.180.190.89 (talk) 03:33, 13 November 2012 (UTC)
Let me clarify. Right now, the article starts with "LXC ... method for running multiple isolated Linux systems (containers) on a single control host." (emphasis mine). I am saying that the term 'isolated' has gradations of meaning. That is why the Operating system-level virtualization article has a table describing that isolation in at least 9 dimensions (they call it 'features'). My question (I was the original poster) was meant to get more information to improve the article.140.180.190.89 (talk) 03:42, 13 November 2012 (UTC)
Whatever intgr implied, you will most probably not get a qualified answer to such questions on the Wikipedia Talk page. Wikipedia users are lucky people with the knowledge still bother to write articles, do not expect them to hang around ;-) User:ScotXWt@lk 10:07, 9 April 2014 (UTC)

──────────────────────────────────────────────────────────────────────────────────────────────────── As far as I can see, passing file descriptors through Unix sockets works between namespaces, just as Unix sockets can be used between namespaces if their associated files are accessible. Have a look at this explanation and net/unix/af_unix.c for Unix sockets and namespaces in general, and net/core/scm.c and its scm_fp_copy() for actual handling of SCM_RIGHTS. No namespaces-related checks are there, as far as I can see.

So, how do we improve an article with this kind of info? Who comes to Wikipedia to read about such details? :) — Dsimic (talk | contribs) 04:16, 11 April 2014 (UTC)

Evading from LXC[edit]

Is this issue still present? Some information would be good, as the weblink does not present this information. --89.0.184.138 (talk) 17:02, 19 January 2013 (UTC)